CVE-2026-4072 Overview
The WordPress PayPal Donation plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the donate shortcode affecting all versions up to and including 1.01. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when users access affected pages.
Critical Impact
Authenticated attackers can inject malicious JavaScript that persists on affected pages, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of legitimate users.
Affected Products
- WordPress PayPal Donation plugin version 1.01 and earlier
- WordPress sites using the vulnerable donate shortcode
- All WordPress installations with Contributor or higher user roles that have the affected plugin installed
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-4072 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4072
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists in the wordpress_paypal_donation_create() function which processes the donate shortcode. The function uses extract(shortcode_atts(...)) to process shortcode attributes and directly interpolates user-supplied values into HTML output within single-quoted attribute values without proper escaping. Multiple shortcode attributes are vulnerable including amount, email, title, return_url, cancel_url, ccode, and image.
The attack requires authenticated access at the Contributor level or above, which limits the attack surface but still presents a significant risk in multi-author WordPress environments. Once injected, the malicious scripts persist in the WordPress database and execute in the browsers of any users who view the compromised pages.
Root Cause
The vulnerability's root cause is the failure to properly sanitize and escape user-supplied input before rendering it in HTML output. The wordpress_paypal_donation_create() function directly interpolates shortcode attribute values into HTML without applying WordPress escaping functions such as esc_attr() or esc_html(). When user-controlled data is placed within single-quoted HTML attribute values without escaping, attackers can break out of the attribute context and inject arbitrary JavaScript code.
Attack Vector
The attack vector is network-based and requires low-privileged authenticated access. An attacker with Contributor-level permissions can create or edit a WordPress post containing the donate shortcode with malicious payloads in one or more of the vulnerable attributes. When the post is published or previewed by other users, the injected scripts execute in their browser context.
The vulnerability allows attackers to potentially steal session cookies, redirect users to malicious sites, modify page content, or perform actions on behalf of authenticated administrators, leading to further site compromise.
Detection Methods for CVE-2026-4072
Indicators of Compromise
- Unusual or unexpected JavaScript code appearing within WordPress posts or pages containing the donate shortcode
- Shortcode attributes containing suspicious characters such as single quotes, angle brackets, or javascript: URIs
- Reports of unexpected browser behavior or redirects when viewing pages with PayPal donation forms
- Unauthorized modifications to posts by Contributor-level users
Detection Strategies
- Review all posts and pages containing the donate shortcode for unexpected or malicious content in shortcode attributes
- Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Monitor WordPress audit logs for suspicious post edits by Contributor-level users
- Use Web Application Firewalls (WAF) with XSS detection rules to identify injection attempts
Monitoring Recommendations
- Enable detailed logging for post creation and modification activities in WordPress
- Configure alerts for posts containing the donate shortcode with unusual attribute patterns
- Monitor browser console errors and CSP violation reports for signs of blocked XSS attempts
- Regularly audit user permissions to ensure only trusted users have Contributor-level access or higher
How to Mitigate CVE-2026-4072
Immediate Actions Required
- Update the WordPress PayPal Donation plugin to a patched version when available
- Audit all existing posts and pages using the donate shortcode for malicious content
- Review and restrict Contributor-level access to trusted users only
- Consider temporarily disabling the WordPress PayPal Donation plugin until a patch is available
Patch Information
The vulnerability affects WordPress PayPal Donation plugin versions up to and including 1.01. Users should monitor the WordPress PayPal Donation Plugin Code repository for updates and apply patches as soon as they become available. Additional details can be found in the Wordfence Vulnerability Report.
Workarounds
- Temporarily remove or disable the WordPress PayPal Donation plugin until a patched version is released
- Restrict shortcode usage by demoting untrusted users below Contributor level
- Implement a Web Application Firewall (WAF) with rules to block common XSS patterns in shortcode attributes
- Apply Content Security Policy headers to mitigate the impact of successful XSS attacks
# Apache .htaccess CSP header configuration to mitigate XSS impact
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
